20 questions · 5:00
1. Which implementation artifact most directly proves purpose limitation for each data field?
2. Which scenario most likely requires a DPIA before launch?
3. A dataset is pseudonymized but the key is retained by the controller. Which statement is correct?
4. Phone numbers were collected for 2FA. The business now wants marketing SMS. What is the correct step?
5. Which access-control design best enforces least privilege in a data-protection program?
6. Which DPA clause most prevents a processor from becoming a controller?
7. What is the strongest technical control to enforce retention schedules?
8. Before transferring personal data outside Saudi Arabia, what is the most fundamental requirement?
9. An access request arrives from an email address. What should the controller do first?
10. For API logs that may include personal data, which practice best reduces exposure while preserving auditability?
11. When is notifying data subjects typically required?
12. Which action best demonstrates privacy by design during development?
13. Which key-management practice most strengthens protection of encrypted data?
14. Which factor should primarily drive data sensitivity classification?
15. A vendor uses customer data to train its own models beyond your instructions. What is its role for that use?
16. Which operational measure best supports data accuracy?
17. Which element is essential in records of processing to demonstrate accountability?
18. Consent is most likely invalid when it is:
19. To align with fairness/proportionality when monitoring employee activity, which approach is best?
20. Which assignment most undermines DPO independence?
